smallstep au lieu de mkcert dans la vm

This commit is contained in:
Francois Lesueur 2023-05-26 11:36:05 +02:00
parent 4117afd993
commit 41e7591163
6 changed files with 41 additions and 55 deletions

View File

@ -55,10 +55,13 @@ echo "export SNSTERGUARD='true'" >> /root/.bashrc
# On place les certifs # On place les certifs
# On place les certifs
if [ -f tls/root_ca.crt ]; then
cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
/usr/sbin/update-ca-certificates --fresh
fi
if [ -d letsencrypt ]; then if [ -d letsencrypt ]; then
cp -ar letsencrypt /etc/ cp -ar letsencrypt /etc/
cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
/usr/sbin/update-ca-certificates --fresh
fi fi
# On sauve le proxy APT # On sauve le proxy APT

View File

@ -55,10 +55,12 @@ echo "export SNSTERGUARD='true'" >> /root/.bashrc
# On place les certifs # On place les certifs
if [ -f tls/root_ca.crt ]; then
cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
/usr/sbin/update-ca-certificates --fresh
fi
if [ -d letsencrypt ]; then if [ -d letsencrypt ]; then
cp -ar letsencrypt /etc/ cp -ar letsencrypt /etc/
cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
/usr/sbin/update-ca-certificates --fresh
fi fi
# On sauve le proxy APT # On sauve le proxy APT

View File

@ -23,9 +23,8 @@ if [ -f /clawsmail/addclawsuser.sh ]; then
fi fi
# On place les certifs # On place les certifs
if [ -d letsencrypt ]; then if [ -f tls/root_ca.crt ]; then
cp -ar letsencrypt /etc/ cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/root.crt
/usr/sbin/update-ca-certificates --fresh /usr/sbin/update-ca-certificates --fresh
fi fi
@ -34,7 +33,7 @@ echo -e '{
"policies": { "policies": {
"Certificates": { "Certificates": {
"ImportEnterpriseRoots": true, "ImportEnterpriseRoots": true,
"Install": ["/etc/ssl/certs/root.pem"] "Install": ["/etc/ssl/certs/root_ca.pem"]
} }
} }
}' > /usr/lib/firefox-esr/distribution/policies.json }' > /usr/lib/firefox-esr/distribution/policies.json

View File

@ -14,6 +14,11 @@ apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
cp dns.conf /etc/unbound/unbound.conf.d/ cp dns.conf /etc/unbound/unbound.conf.d/
# On place les certifs
if [ -f tls/root_ca.crt ]; then
cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
/usr/sbin/update-ca-certificates --fresh
fi
# Install smallstep CA / ACME server # Install smallstep CA / ACME server
cd /tmp cd /tmp
@ -23,7 +28,7 @@ wget "https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.24.2
dpkg -i step-ca_0.24.2_amd64.deb dpkg -i step-ca_0.24.2_amd64.deb
echo "password" > /root/ca-passwordfile echo "password" > /root/ca-passwordfile
step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="letsencrypt/local/rootCA.pem" --key "letsencrypt/local/rootCA-key.pem" step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="${DIR}/tls/root_ca.crt" --key "${DIR}/tls/root_ca_key"
echo -e '#!/bin/sh\nstep-ca --password-file /root/ca-passwordfile' >> /etc/rc.local echo -e '#!/bin/sh\nstep-ca --password-file /root/ca-passwordfile' >> /etc/rc.local
chmod +x /etc/rc.local chmod +x /etc/rc.local

View File

@ -143,48 +143,25 @@ SystemMaxFileSize=2M
EOF EOF
fi fi
# CA et certifs avec mkcert # CA et certifs avec smallstep
echo -e "\n #### mkcert\n" echo -e "\n #### smallstep\n"
DEBIAN_FRONTEND=noninteractive apt-get install -y libnss3-tools cd /tmp
wget "https://dl.smallstep.com/gh-release/cli/gh-release-header/v0.24.4/step-cli_0.24.4_amd64.deb"
dpkg -i step-cli_0.24.4_amd64.deb
echo "password" > /root/ca-passwordfile
step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile"
mkdir -p /root/mkcert mkdir -p /root/tls
cd /root/mkcert cp /root/.step/certs/root_ca.crt /root/tls/
if [ ! -f mkcert ]; then cp /root/.step/secrets/root_ca_key /root/tls/
wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert step crypto change-pass /root/tls/root_ca_key --no-password --insecure --password-file="/root/ca-passwordfile" --force
chmod +x mkcert
mkdir -p /etc/letsencrypt/local/
export CAROOT=/etc/letsencrypt/local/
/root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/
cd "${CAROOT}"
cat > "${CAROOT}/kaz.sns.cnf" <<EOF
[ req ]
prompt = no
distinguished_name = dn
req_extensions = req_ext
[ dn ] step certificate create "*.kaz.sns" /root/tls/wildcard.crt /root/tls/wildcard.key --profile leaf --ca /root/.step/certs/intermediate_ca.crt --ca-key /root/.step/secrets/intermediate_ca_key --ca-password-file /root/ca-passwordfile --bundle --force --no-password --insecure
CN = *.kaz.sns
emailAddress = admin@kaz.sns
O = KAZ
OU = Dev
L = Vannes
ST = France
C = FR
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.0 = *.kaz.sns
EOF
openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout kaz.sns.key -out kaz.sns.csr -config kaz.sns.cnf
/root/mkcert/mkcert -csr "${CAROOT}/kaz.sns.csr" # cert et clé dans /etc/letsencrypt/local/
mkdir -p /etc/letsencrypt/live/kaz.sns/ mkdir -p /etc/letsencrypt/live/kaz.sns/
ln -s ../../local/_wildcard.kaz.sns.pem /etc/letsencrypt/live/kaz.sns/fullchain.pem ln -sf /root/tls/wildcard.crt /etc/letsencrypt/live/kaz.sns/fullchain.pem
ln -s ../../local/kaz.sns.key /etc/letsencrypt/live/kaz.sns/privkey.pem ln -sf /root/tls/wildcard.key /etc/letsencrypt/live/kaz.sns/privkey.pem
fi
# Cache docker registry # Cache docker registry
echo "proxy: echo "proxy:
@ -219,10 +196,10 @@ auth:
cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root
# crypto keys # crypto keys
cp -ar /etc/letsencrypt /root/snster-kaz/hoster-a/kaz1/ cp -ar /root/tls /etc/letsencrypt /root/snster-kaz/hoster-a/kaz1/
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/ cp -ar /root/tls /etc/letsencrypt /root/snster-kaz/hoster-b/kaz2/
cp -ar /etc/letsencrypt /root/snster-kaz/hoster-b/kaz2/ cp -ar /root/tls /root/snster-kaz/isp-a/home/
cp -ar /etc/letsencrypt /root/snster-kaz/mica/infra/ cp -ar /root/tls /root/snster-kaz/mica/infra/
# On lie le filesystem de kaz-prod dans le /kaz de la VM pour le dév # On lie le filesystem de kaz-prod dans le /kaz de la VM pour le dév

View File

@ -26,10 +26,10 @@ git switch "${KAZBRANCH}"
# On écrase les anciens fichiers # On écrase les anciens fichiers
cp -ar /tmp/kaz-vagrant/files/snster-kaz /root/ cp -ar /tmp/kaz-vagrant/files/snster-kaz /root/
# crypto keys # crypto keys
cp -ar /etc/letsencrypt /root/snster-kaz/hoster-a/kaz1/ cp -ar /root/tls /etc/letsencrypt /root/snster-kaz/hoster-a/kaz1/
cp -ar /etc/letsencrypt /root/snster-kaz/hoster-b/kaz2/ cp -ar /root/tls /etc/letsencrypt /root/snster-kaz/hoster-b/kaz2/
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/ cp -ar /root/tls /root/snster-kaz/isp-a/home/
cp -ar /etc/letsencrypt /root/snster-kaz/mica/infra/ cp -ar /root/tls /root/snster-kaz/mica/infra/
# On détruit et reconstruit tout sauf kaz-prod # On détruit et reconstruit tout sauf kaz-prod
SNSTER="snster -c /root/snster-kaz" SNSTER="snster -c /root/snster-kaz"